A misconfigured Elasticsearch server is responsible for exposing the personal details of a large number of Razer customers.
The IT security researchers Volodymyr “Bob” Diachenko identified a security lapse at Razer Inc., a globally operating gaming hardware manufacturer, which led to the exposure of the private data of nearly 100,000 customers of Razer.
It is unclear exactly how many customers were impacted by the unfortunate configuration mishap. Diachenko claims that his assumption that roughly 100,000 customers are affected is based on the number of exposed email IDs.
The exposed data includes sensitive private details, such as full name, phone number, email address, internal customer ID, billing/shipping address, order details, and order number.
Diachenko revealed that the data was originally part of a massive reserve of information that the company had stored in an Elasticsearch server.
The incident should not come as a surprise since Elasticsearch servers have a long history of exposing data online. Furthermore, misconfigured databases have exposed billions of sensitive records in the last couple of years. In fact, the situation is so critical that according to a new poll, database configuration errors are the number one threat to cloud security.
According to a blog post published by the researcher, a configuration error caused the data to become publicly accessible from August 18, 2020. What’s worse is that the company was quickly notified about the misconfigured Elasticsearch cluster via its support channel, but the message could not reach the right people for more than three weeks.
Later, Razer Inc. took notice and released the following statement:
“We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer, and shipping information. No other sensitive data such as credit card numbers or passwords were exposed.”
According to Razer, the misconfigured server was fixed on September 9. The company thanked Bob Diachenko and claimed that the necessary steps to prevent similar issues were underway. The company also promised to conduct a ‘thorough review’ of its IT security and systems.
Diachenko warns that Razer customer must remain alert as they could be at risk of targeted phishing attacks. He explained that criminals could use the information and pose as a Razer agent to conduct fraud. Therefore, any suspicious emails or messages should be ignored by Razer customers. Also, they must not click on any URL links without verifying the legitimacy of the sender.